DPDP Act 2023 Compliance

Tripzo Technologies Pvt Ltd processes personal data under the framework of India's Digital Personal Data Protection Act 2023 ("DPDP Act"). This page summarises our compliance posture.

Our role

Under DPDP, Tripzo is a Data Fiduciary for data we process about our subscribers (agency owners and staff). For data that subscribers upload about their own customers, our subscribers are the Data Fiduciaries and Tripzo is the Data Processor.

Lawful basis for processing

We process personal data on these legal bases:

• Consent — given freely during signup, withdrawable anytime
• Contractual necessity — to deliver the SaaS service
• Legal obligation — GST records, tax filings, court orders

Data principal rights

Every individual whose personal data we process has the right to:

1. Information about processing purpose, recipients, retention
2. Access to their data in a portable format
3. Correction and erasure of inaccurate / unnecessary data
4. Grievance redressal via our Grievance Officer (below)

Grievance Officer

Per Section 10 of the DPDP Act:

• Name: Tripzo Data Protection Officer
• Email: dpo@tripzo.com
• Response time: 30 days from receipt of a written complaint

If unresolved, you may approach the Data Protection Board of India.

Significant Data Fiduciary

As of the effective date, Tripzo does not meet the threshold of "Significant Data Fiduciary" under Section 10. If our scale changes, we will publish updated obligations here including DPIA results and auditor reports.

Children's data

We do not knowingly process personal data of individuals under 18 as data principals. Booking records may include passport details of minor travellers — these are managed by the agency on behalf of the minor's legal guardian, with consent obtained directly by the agency.

Cross-border transfer

Tripzo data is primarily hosted in Mumbai (AWS ap-south-1). Limited transfers to sub-processors abroad (Anthropic for AI Quote, Postmark for email) are governed by Standard Contractual Clauses and listed in our Privacy Policy.

Security measures

• Encryption: TLS 1.2+ in transit, AES-256 at rest
• Access control: role-based (Spatie), per-user TOTP 2FA
• Audit: every data-access logged via Spatie Activitylog
• Isolation: per-tenant Postgres database (Stancl Tenancy 3.x)
• Backups: daily encrypted, 30-day retention
• Vulnerability management: monthly Composer audit, quarterly third-party penetration tests planned

Breach notification

In the event of a personal-data breach, we will:

1. Notify the Data Protection Board of India within 72 hours
2. Notify affected data principals via email + in-app banner
3. Publish a public incident report within 30 days

Changes

This page is reviewed annually and after any material regulatory or operational change.